Vukeli B., Polytechnic of Rijeka, Boi Pavleti Z.

, VPS Minerva Dugopolje,

Mati Vukeli U., Astrila Translation Services

Using multicriteria decision making method

PROMETHEE&GAIA for information security risk managment
standards selection
Introduction
Information technology risk is any risk related to information technology. This is a
relatively new term due to an increasing awareness that information security is simply one
facet of a multitude of risks that are relevant to IT and the real-world processes it supports.
Generally speaking, risk is the product of the likelihood of an event occurring and the impact
that event could have on an information technology asset.
Due to this problem, companies look for standards organizations to provide guidance
when it comes to best practices in information security. But, the choice of the best standard is
a challenge. There are numerous standards available and many factors to evaluate, such as
scope, usage and maturity. In the recent years several decision aid methods or decision
support systems have been proposed to help in the selection of the best compromise
alternatives.
The following paper compares the three leading standards (ISO 27005, NIST SP 80030 & OCTAVE) using multicriteria decision method PROMETHEE & GAIA. The purpose of
this paper is not to explain in details the PROMETHEE methodology, only the results
provided by the Visual PROMETHEE software on the abovementioned example. It is the
only PROMETHEE-based software developed and supported by the authors of the
PROMETHEE & GAIA methodology.
PROMETHEE & GAIA Method
PROMETHEE & GAIA is a multi-criteria decision aid methodology that has been
developed by Jean-Pierre Brans and Bertrand Mareschal at the ULB and VUB universities
since 1982. The GAIA descriptive approach appeared in 1989. [1]
It is a ranking method quite simple in conception and application compared to other
methods for multi-criteria analysis. It is well adapted to problems where a finite number of
alternative actions are to be ranked considering several, sometimes conflicting, criteria. [2].
The PROMETHEE method (preference ranking organization method for enrichment
evaluation) is appropriate to treat the multi-criteria problem of the following type:
max{f1(a), ... , fn(a)|a \A}, (1)
where A is a finite set of possible alternatives, and fj are n criteria to be maximized. For each
alternative, fj(a) is an evaluation of this alternative. When we compare two alternatives a, b \
A, we must be able to express the result of these comparisons in terms of preference.

One of the advantages of usages of PROMETHEE methods is the possibility of

geometrical interpretation of the results by the GAIA method (geometrical analysis for
interactive aid). In 1989 the introduction of GAIA added a descriptive complement to the
PROMETHEE rankings. A graphical representation of the multi-criteria problem enables the
decision maker to understand the available choices better and the necessary compromises he
or she will have to make in order to make the best decision. GAIA can also be used to see the
impact of the criteria weights on the PROMETHEE rankings.
The PROMETHEE & GAIA methods are based on the Preference Modeling method,
which increases the efficiency of any complex decision-making and is also based on the
Pairwise Comparison method, where alternatives are compared to each other. It is highly
recommended to read both more about both methods, to understand how it impacts the final
decision. [3]
Rather than pointing out the "right" decision, the PROMETHEE & GAIA method
helps decision makers find the alternative that best suits their goal and their understanding of
the problem. It provides a comprehensive and rational framework for structuring a decision
problem, for identifying and quantifying its conflicts and synergies, clusters of actions and
highlight the main alternatives and the structured reasoning behind. [3]
Decision situations to which the PROMETHEE & GAIA can be applied include: [4]
Choice The selection of one alternative from a given set of alternatives, usually where there
are multiple decision criteria involved.
Prioritization Determining the relative merit of members of a set of alternatives, as opposed
to selecting a single one or merely ranking them.
Resource allocation Allocating resources among a set of alternatives
Ranking Putting a set of alternatives in order from most to least preferred
Conflict resolution Settling disputes between parties with apparently incompatible
objectives
Criteria and alternatives
Many companies have problems with information security. Because of lack of
expertise, they look for consultation and guidance from standards organizations, which will
help them find the best possible solution. Risk management encompasses three processes: risk
assessment, risk mitigation, and evaluation and assessment. Risk management is the process
that allows IT managers to balance the operational and economic costs of protective measures
and achieve gains in mission capability by protecting the IT systems and data that support
their organizations missions. This process is not unique to the IT environment; indeed it
pervades decision-making in all areas of our daily lives. [6]


Figure 1. Risk management process [4]

After having defined the problem, the first step in PROMETHEE & GAIA method is
defining the objective, which is the choice of an optimal security standard. Furthermore, it is
necessary to define criteria and alternatives, ISO 27005, NIST SP 800-30 & OCTAVE, which
will be shortly described.
ISO/IEC 27005:2008
ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial
enterprises, government agencies, non-profit organizations) which intend to manage risks that
could compromise the organizations information security. ISO 27005 is widely accepted
methodology and it covers technology, people and process in risk assessment. Risk
assessment is defined through identification, estimation and evaluation. The framework of
ISO 27005 consists of two elements risk analysis and risk evaluation. ISO/IEC
27002:2005 Code of practice for information security management recommends to examine
the following during a risk assessment: security policy, organization of information security,
asset management, human resources security, physical and environmental security,
communications and operations management, access control, information systems acquisition,
development and maintenance, information security incident management, business
continuity management and regulatory compliance. [5]
NIST SP 800- 30
The purpose of NIST SP 800-30 is to provide guidance for conducting risk
assessments of federal information systems and organizations. Risk assessments, carried out
at all three tiers in the risk management hierarchy, are part of an overall risk management
process providing senior leaders/executives with the information needed to determine
appropriate courses of action in response to identified risks. It provides guidance for carrying
out each of the steps in the risk assessment process (i.e., preparing for the assessment,
conducting the assessment, communicating the results of the assessment, and maintaining the
assessment) and how risk assessments and other organizational risk management processes

complement and inform each other. Special Publication 800-30 also provides guidance to
organizations on identifying specific risk factors to monitor on an ongoing basis, so that
organizations can determine whether risks have increased to unacceptable levels (i.e.,
exceeding organizational risk tolerance) and different courses of action should be taken. [7]
NIST SP 800-30 is most suited for technology related risk assessment aligned with common
criteria. The risk assessment methodology encompasses nine primary steps: System
Characterization, Threat Identification, Vulnerability Identification, Control Analysis,
Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendations
and Results Documentation. According to NIST SP 800-30, risk assessment is the analysis of
threats in conjunction with vulnerabilities and existing controls.
OCTAVE
OCTAVE is a set of tools, techniques and methods for risk assessment and strategic
planning of information security. OCTAVE is an acronym of the following English words: O
= Operationally, C = Critical, T = Threat, A = Asset, VE = Vulnerability Evaluation.
According to OCTAVE standard, a risk assessment will provide information necessary
for making risk managment decisions regarding the degree of security remediation. OCTAVE
methods are founded on the OCTAVE criteria, a standard approach for a risk-driven and
practice-based information security evaluation. The OCTAVE criteria establish the
fundamental principles and attributes of risk management that are used by the OCTAVE
methods. The OCTAVE methods are self-directed, which means that small teams of
organizational personnel across business units and IT work together to address the security
needs of the organization. They are also flexible, which means that each method can be
tailored to the organization's unique risk environment, security and resiliency objectives, and
skill level. Another important feature of OCTAVE methods is that they are evolved, which
means that OCTAVE moved the organization toward an operational risk-based view of
security and addresses technology in a business context.
After defining and describing the alternatives, it is necessary to define criteria. There
were 7 criteria, which will be explained below. Although PROMETHEE & GAIA method
enable using quantitative and qualitative criteria, cost was intentionally left out as a
quantitative value. It is one of the most important criteria, but it depends on the scope of
implementation and the size of the organization. The qualitative criteria were compared.
Information gathering refers to different methods of data gathering from the employees
(interview, questionnaire etc.).
Simplicity of use. It evaluates whether the method is applicable for the organization and
whether the method can be adapted for needs of a specific field. It also describes the amount
of human and technical resources necessary for implementation.
Spread of use. This criterion evaluates the importance of maturity of the standard as a
selection criterion. It encompasses the spread of use of the method, such as how long the
method exists, how often it is updated and its geographical spread of use, along with
availability of open market or licensed consultants.

Software and Tools. This criterion evaluates the availability of software and tools which are
necessary for the implementation.
Documentation. It refers to available documentation, available helplines, manuals and
instruction guides.
Risk assessment. It evaluates how well the standard solves identification, analysis and
evaluation of risks.
Risk treatment. It involves selecting and implementing measures to modify risk. Risk
treatment measures can include avoiding, optimizing, transferring or retaining risk.
Each criterion was explained in a verbal scale, that is, through the following values:
very bad, bad, average, good and very good.
Verbal scale
Very bad
Bad
Average
Good
Very good
Table 1. Verbal scale

The abovementioned criteria and alternatives were processed in Visual PROMETHEE

software. Figure 2 shows main window. The spreadsheet contains three collapsible sections:
Preferences, Statistics and Evaluations.

Figure 2. The VisualPROMETHEE main spreadsheet

Figure 3 shows that the PROMETHEE I Partial Ranking is based on the comparison of
the leaving flow (Phi+) and the entering flow (Phi-). The left column corresponds to the Phi+
scores and the right column to the Phi- scores. They are oriented such that the best scores are
upwards. This way the middle column corresponds to the net flow (Phi- scores). On the left
side you can see the ranking of the actions according to Phi+.On the right side you can see the
ranking of the actions according to Phi-. For each action a line is drawn from its Phi+ score to
its Phi- score.
When a line is completely on top of another one, it means that the corresponding
action is better on both Phi+ and Phi-. This action is thus preferred to the other in the
PROMETHEE I Partial Ranking.

Figure 3. PROMETHEE I Partial ranking

Figure 4 indicates that the percentage of information retained in the GAIA display is
shown. A color code is used to differentiate results: green indicates a satisfying quality level
while red corresponds to a too low level.

Figure 4. GAIA Visual analysis

Conclusion
The abovementioned standards differ from each other in various organizational and
technical aspects, such as methodology, human resources and software tools. The
PROMETHEE-GAIA methodology, which was used in this paper, has several advantages in
relation to some other methods of multiple criteria because it provides a complete ranking of
alternatives (from best to worst) and criteria and alternative analysis. The paper has shown
that this method can help us choose optimal security standard. In this case, it turned out to be
ISO 27005.

Literature
[1] PROMETHEE & GAIA method,http://homepages.ulb.ac.be/~bmaresc/PROMETHEE.htm
[2] Prvulovic S. et al.: Application of Promethee-Gaia Methodology in the Choice of Systems for Drying PaltrySeeds and Powder Materials, Strojniki vestnik - Journal of Mechanical Engineering 57(2011)10, p. 778-784
[3] D-Sight PROMETHEE & GAIA Methodology, http://www.d-sight.com/learning-center/promethee-gaiasoftware
[4] Preference ranking organization method for enrichment evaluation,
http://en.wikipedia.org/wiki/Preference_ranking_organization_method_for_enrichment_evaluation
[5] COMPARISON BETWEEN ISO 27005, OCTAVE & NIST SP 800-30,
http://sisainfosec.com/blog/comparison-between-iso-27005-octave-nist-sp-800-30-2/
[6] Gary Stoneburner, Alice Goguen, and Alexis Feringa: Risk Management Guide for Information Technology
Systems, NIST Special publication 800-30
[7] Guide for Conducting Risk Assessments, NIST, September 2012,
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf